indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Merge branch 'main' of ssh://code.freedombone.net:2222/bashrc/epicyon into main

main
Bob Mottram 2020-12-11 11:39:57 +00:00
parent 64851b9a14 d1a16c486c
commit 645ba822dc
7 changed files with 26 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content.py
View File

@ -166,7 +166,7 @@ def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool:
invalidPartials = ('127.0.', '192.168', '10.0.') invalidPartials = ('127.0.', '192.168', '10.0.')
invalidStrings = ('script', 'canvas', 'style', 'abbr', invalidStrings = ('script', 'canvas', 'style', 'abbr',
'frame', 'iframe', 'html', 'body', 'frame', 'iframe', 'html', 'body',
'hr') 'hr', 'allow-popups', 'allow-scripts')
for markup in contentSections: for markup in contentSections:
if '>' not in markup: if '>' not in markup:
continue continue
@ -358,7 +358,7 @@ def addWebLinks(content: str) -> str:
if w.endswith('.') or w.endswith(';'): if w.endswith('.') or w.endswith(';'):
w = w[:-1] w = w[:-1]
markup = '<a href="' + w + \ markup = '<a href="' + w + \
'" rel="nofollow noopener" target="_blank">' '" rel="nofollow noopener noreferrer" target="_blank">'
for prefix in prefixes: for prefix in prefixes:
if w.startswith(prefix): if w.startswith(prefix):
markup += '<span class="invisible">' + prefix + '</span>' markup += '<span class="invisible">' + prefix + '</span>'

3
daemon.py
View File

@ -995,7 +995,8 @@ class PubServer(BaseHTTPRequestHandler):
self.server.proxyType, version, self.server.proxyType, version,
self.server.debug, self.server.debug,
self.server.YTReplacementDomain, self.server.YTReplacementDomain,
self.server.showPublishedDateOnly) self.server.showPublishedDateOnly,
self.server.allowLocalNetworkAccess)
def _postToOutboxThread(self, messageJson: {}) -> bool: def _postToOutboxThread(self, messageJson: {}) -> bool:
"""Creates a thread to send a post """Creates a thread to send a post

12
newsdaemon.py
View File

@ -355,18 +355,6 @@ def newswireHashtagProcessing(session, baseDir: str, postJsonObject: {},
# Block this item # Block this item
if actionStr.startswith('block') or actionStr.startswith('drop'): if actionStr.startswith('block') or actionStr.startswith('drop'):
return False return False
# TODO
# If routing to another instance
# sendSignedJson(postJsonObject: {}, session, baseDir: str,
# nickname: str, domain: str, port: int,
# toNickname: str, toDomain: str, toPort: int, cc: str,
# httpPrefix: str, False, False,
# federationList: [],
# sendThreads: [], postLog: [], cachedWebfingers: {},
# personCache: {}, False, __version__) -> int:
# if actionOccurred:
# return True
return True return True

16
outbox.py
View File

@ -35,6 +35,7 @@ from bookmarks import outboxUndoBookmark
from delete import outboxDelete from delete import outboxDelete
from shares import outboxShareUpload from shares import outboxShareUpload
from shares import outboxUndoShareUpload from shares import outboxUndoShareUpload
from content import dangerousMarkup
def postMessageToOutbox(messageJson: {}, postToNickname: str, def postMessageToOutbox(messageJson: {}, postToNickname: str,
@ -47,7 +48,8 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
personCache: {}, allowDeletion: bool, personCache: {}, allowDeletion: bool,
proxyType: str, version: str, debug: bool, proxyType: str, version: str, debug: bool,
YTReplacementDomain: str, YTReplacementDomain: str,
showPublishedDateOnly: bool) -> bool: showPublishedDateOnly: bool,
allowLocalNetworkAccess: bool) -> bool:
"""post is received by the outbox """post is received by the outbox
Client to server message post Client to server message post
https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery
@ -66,6 +68,18 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
postToNickname, postToNickname,
domain, port, domain, port,
messageJson) messageJson)
# check that the outgoing post doesn't contain any markup
# which can be used to implement exploits
if messageJson.get('object'):
if isinstance(messageJson['object'], dict):
if messageJson['object'].get('content'):
if dangerousMarkup(messageJson['object']['content'],
allowLocalNetworkAccess):
print('POST to outbox contains dangerous markup: ' +
str(messageJson))
return False
if messageJson['type'] == 'Create': if messageJson['type'] == 'Create':
if not (messageJson.get('id') and if not (messageJson.get('id') and
messageJson.get('type') and messageJson.get('type') and

2
utils.py
View File

@ -149,6 +149,8 @@ def setHashtagCategory(baseDir: str, hashtag: str, category: str,
if not os.path.isfile(hashtagFilename): if not os.path.isfile(hashtagFilename):
return False return False
if not os.path.isdir(baseDir + '/tags'):
os.mkdir(baseDir + '/tags')
categoryFilename = baseDir + '/tags/' + hashtag + '.category' categoryFilename = baseDir + '/tags/' + hashtag + '.category'
if force: if force:
# don't overwrite any existing categories # don't overwrite any existing categories

3
webapp_column_left.py
View File

@ -216,7 +216,8 @@ def getLeftColumnContent(baseDir: str, nickname: str, domainFull: str,
# add link to the returned html # add link to the returned html
htmlStr += \ htmlStr += \
' <p><a href="' + linkStr + \ ' <p><a href="' + linkStr + \
'" target="_blank" rel="noopener noreferrer">' + \ '" target="_blank" ' + \
'rel="nofollow noopener noreferrer">' + \
lineStr + '</a></p>\n' lineStr + '</a></p>\n'
linksFileContainsEntries = True linksFileContainsEntries = True
else: else:

6
webapp_column_right.py
View File

@ -243,7 +243,7 @@ def htmlNewswire(baseDir: str, newswire: {}, nickname: str, moderator: bool,
title = removeLongWords(item[0], 16, []).replace('\n', '<br>') title = removeLongWords(item[0], 16, []).replace('\n', '<br>')
htmlStr += '<p class="newswireItemVotedOn">' + \ htmlStr += '<p class="newswireItemVotedOn">' + \
'<a href="' + item[1] + '" target="_blank" ' + \ '<a href="' + item[1] + '" target="_blank" ' + \
'rel="noopener noreferrer">' + \ 'rel="nofollow noopener noreferrer">' + \
'<span class="newswireItemVotedOn">' + title + \ '<span class="newswireItemVotedOn">' + title + \
'</span></a>' + totalVotesStr '</span></a>' + totalVotesStr
if moderator: if moderator:
@ -271,7 +271,7 @@ def htmlNewswire(baseDir: str, newswire: {}, nickname: str, moderator: bool,
if moderator and moderatedItem: if moderator and moderatedItem:
htmlStr += '<p class="newswireItemModerated">' + \ htmlStr += '<p class="newswireItemModerated">' + \
'<a href="' + item[1] + '" target="_blank" ' + \ '<a href="' + item[1] + '" target="_blank" ' + \
'rel="noopener noreferrer">' + \ 'rel="nofollow noopener noreferrer">' + \
title + '</a>' + totalVotesStr title + '</a>' + totalVotesStr
htmlStr += ' ' + dateShown htmlStr += ' ' + dateShown
htmlStr += '<a href="/users/' + nickname + \ htmlStr += '<a href="/users/' + nickname + \
@ -283,7 +283,7 @@ def htmlNewswire(baseDir: str, newswire: {}, nickname: str, moderator: bool,
else: else:
htmlStr += '<p class="newswireItem">' + \ htmlStr += '<p class="newswireItem">' + \
'<a href="' + item[1] + '" target="_blank" ' + \ '<a href="' + item[1] + '" target="_blank" ' + \
'rel="noopener noreferrer">' + \ 'rel="nofollow noopener noreferrer">' + \
title + '</a>' + \ title + '</a>' + \
totalVotesStr totalVotesStr
htmlStr += ' <span class="newswireDate">' htmlStr += ' <span class="newswireDate">'